search

firebase / firebase-ios-sdk

Firebase SDK for Apple App Development
https://firebase.google.com
Apache License 2.0
5.62k stars 1.47k forks source link

FR: Firebase AppCheck Token Validation on Server Side Swift Backends #8925

Open andreivladmatei opened 2 years ago

andreivladmatei commented 2 years ago

As server-side swift backends evolve (e.g. Vapor), there is a real need to secure them from abuse.

The missing link is way to use AppCheck to "Verify App Check tokens from a custom backend".

While there is no SDK available for Firebase Admin using Swift, maybe the functionality can be extended first to Firebase REST API?

Any workaround ideas? Calling a Lambda function or a python script sounds very inefficient.

maksymmalyhin commented 2 years ago

@lahirumaramba @weixifan

maksymmalyhin commented 2 years ago

@andreivladmatei As a temporary workaround you can implement the App Check token verification on your end. This blog post describes how to do it.

andreivladmatei commented 2 years ago

Thanks, I'll give it a try.

Any plans to get this supported officially?

lahirumaramba commented 2 years ago

@andreivladmatei Thank you for reporting this! We understand that there is an interest to use Firebase Admin APIs with server-side Swift. We have been discussing this topic with our teams lately, however this is not something we currently have plans to work in the near future. We will use this issue to track any progress in the future. Thanks again for your feedback. These are very valuable inputs for us to further improve our SDKs. b/205177095

weixifan commented 2 years ago

@andreivladmatei As a temporary workaround you can implement the App Check token verification on your end. This blog post describes how to do it.

Thanks @maksymmalyhin for this pointer. To expand on this and for clarification, the custom backend verification solutions outlined in the blog post are supported ways of using App Check. For any language or use case that our SDKs currently do not support, you can still follow the generic solution using App Check's Public API, as outlined in the blog post, to implement your own server-side App Check token verification.

@andreivladmatei We definitely understand that if SDKs for new languages such as Swift become available in the future, using those SDKs will be much more convenient than writing custom backend verification code that interact directly with App Check's Public API. Thank you for your feedback, and as @lahirumaramba mentioned above, we will be tracking this in our internal ticket as well.